This is the accessible text file for GAO report number GAO-09-523 entitled 'Information Technology: FDA Needs to Establish Key Plans and Processes for Guiding Systems Modernization Efforts' which was released on June 2, 2009. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. Report to Congressional Requesters: United States Government Accountability Office: GAO: June 2009: Information Technology: FDA Needs to Establish Key Plans and Processes for Guiding Systems Modernization Efforts: GAO-09-523: GAO Highlights: Highlights of GAO-09-523, a report to congressional requesters. Why GAO Did This Study: The Food and Drug Administration (FDA) relies heavily on information technology (IT) to carry out its responsibility for ensuring the safety and effectiveness of certain consumer products. Recognizing limitations in its IT capabilities that had been previously identified in studies by FDA and others, the agency has begun various initiatives to modernize its IT systems. GAO was asked to (1) evaluate the agency’s overall plans for modernizing its IT systems, including the extent to which the plans address identified limitations or inadequacies in the agency’s capabilities, and (2) assess to what extent the agency has put in place key IT management policies and processes to guide the implementation of its modernization projects. GAO analyzed FDA’s plans to determine whether they followed best practices and addressed capability limitations, reviewed key management policies and processes, and interviewed agency officials. What GAO Found: In response to federal law and guidance and urgent mission needs, FDA is pursuing numerous modernization projects (including 16 enterprisewide initiatives), many of which are in early stages. However, FDA does not have a comprehensive IT strategic plan to coordinate and manage these initiatives and projects. Such a plan would describe what the agency seeks to accomplish, identify the strategies it will use to achieve desired results, and provide results-oriented goals and performance measures that permit it to determine whether it is succeeding. FDA has developed two high-level planning documents that include some of these elements, but not all: * The agency’s Strategic Action Plan provides high-level goals and objectives related to modernization of infrastructure and systems, but it does not provide details on IT initiatives, such as milestones and performance measures. * An IT plan for FDA’s user fee program for drugs and biological products focuses on selected projects in greater detail, but these projects are only a subset of the agency’s modernization initiatives. As reflected by its projects and high-level plans, FDA intends to address most of the limitations in its IT systems and infrastructure that had been previously identified. However, successfully overcoming these limitations depends in part on the agency’s developing and implementing appropriately detailed plans. A comprehensive IT strategic plan, including results-oriented goals and performance measures, is vital for guiding and coordinating the agency’s numerous ongoing modernization projects and activities. Until it develops such a plan, the risk is increased that the agency’s IT modernization may not adequately meet the agency’s urgent mission needs. FDA has made mixed progress in establishing important IT management capabilities that are essential in helping ensure a successful modernization. These capabilities include investment management, information security, enterprise architecture development, and human capital management. For example, as part of a move to an enterprisewide approach to IT management, FDA has put policies in place for investment management and project management, and it is making progress in addressing information security. However, significant work remains with regard to enterprise architecture (that is, establishing modernization blueprints describing the organization’s operation in terms of business and technology), particularly its “to be” architecture—a blueprint of where it wants to go in the future. Further, the agency is not strategically managing IT human capital—it has not determined its IT skills needs or analyzed gaps between skills on hand and future needs. In both these areas (enterprise architecture and human capital management), the agency’s vision for the future, as captured in an IT strategic plan, would be an important asset. Without an effective enterprise architecture and strategic human capital management, FDA has less assurance that it will be able to modernize effectively and will have the appropriate IT staff to effectively implement and support its modernization efforts. What GAO Recommends: GAO is recommending that FDA expeditiously develop a comprehensive IT strategic plan, give priority to architecture development, and complete key elements of IT human capital planning. In commenting on a draft of this report, FDA agreed with GAO’s recommendations and identified actions initiated or planned to address them. View [hyperlink, http://www.gao.gov/products/GAO-09-523] or key components. For more information, contact Valerie C. Melvin at (202) 512-6304 or melvinv@gao.gov. [End of section] Contents: Letter: Results in Brief: Background: FDA Is Pursuing Systems Modernization, but It Has Not Developed an IT Strategic Plan to Guide Its Initiatives: FDA Has Made Mixed Progress in Key IT Management Practices: Conclusions: Recommendations for Executive Action: Agency Comments and Our Evaluation: Appendix I: Objectives, Scope, and Methodology: Appendix II: Comments from the Food and Drug Administration: Appendix III: FDA's Mission-Critical Systems and Infrastructure: Appendix IV: Studies That Identify FDA's Information Technology Limitations: Appendix V: GAO Contact and Staff Acknowledgments: Tables: Table 1: FDA's IT Funding for Projects and Systems: Table 2: FDA Major Modernization Efforts and Projects: Table 3: IT Initiatives in Strategic Action Plan, by Strategic Goal: Table 4: FDA Projects, Activities, and Plans Intended to Address Identified Limitations: Table 5: Examples of FDA Regulatory Tracking Systems and Users: Table 6: Examples of FDA's Compliance Systems and Users: Table 7: Examples of FDA's Adverse Event Reporting Systems and Users: Figures: Figure 1: Critical IT Management Capabilities: Figure 2: Strategic Workforce Planning Process: Abbreviations: CIO: Chief Information Officer: EAMMF: Enterprise Architecture Maturity Framework: FAERS: FDA Adverse Event Reporting System: FDA: Food and Drug Administration: FISMA: Federal Information Security Management Act of 2002: HHS: Department of Health and Human Services: ICT21: Information and Computer Technology for the 21st Century: IT: information technology: ITIM: Information Technology Investment Management: MARCS: Mission Accomplishments and Regulatory Compliance Services: ORA: Office of Regulatory Affairs: OIM: Office of Information Management: OMB: Office of Management and Budget: PDUFA: Prescription Drug User Fee Act: PREDICT: Predictive Risk-based Evaluation for Dynamic Import Compliance Targeting: [End of section] United States Government Accountability Office: Washington, DC 20548: June 2, 2009: Congressional Requesters: The Food and Drug Administration (FDA) is responsible for ensuring the safety and effectiveness of a wide range of consumer products, including 80 percent of our nation's food supply.[Footnote 1] In carrying out these responsibilities, FDA relies heavily on information technology (IT). However, incidents have occurred in which the agency's ability to carry out its mission has been impeded by deficiencies in its IT capabilities. For example, in 2001, in conducting its review of the anti-inflammatory drug Vioxx, FDA encountered difficulties with the slowness of its systems in analyzing the data. Concerns have been raised that deficiencies in the agency's systems and IT management could weaken its regulatory programs, lead to inefficient uses of resources, or result in uninformed or misinformed decisions. Since 2001, FDA has begun various initiatives to modernize its IT systems. In view of the importance of IT to FDA's ability to effectively fulfill its mission needs, you asked us to (1) evaluate the agency's overall plans for modernizing its systems, including the extent to which the plans address identified limitations or inadequacies in the agency's IT capabilities, and (2) assess to what extent the agency has put in place key IT management policies and processes to guide the implementation of its modernization projects. To evaluate FDA's overall plans for modernizing its IT systems, we examined criteria for strategic plans in guidance from the Office of Management and Budget (OMB),[Footnote 2] legislation (the Clinger-Cohen Act),[Footnote 3] and our previous reports.[Footnote 4] We assessed whether these plans included strategies and projects to address limitations in the agency's IT capabilities. We also reviewed project- level documentation, such as planning and project management documents, and we interviewed cognizant FDA officials. To assess the agency's IT management, we focused on key areas-- investment management, information security, enterprise architecture [Footnote 5] development, and human capital management. We reviewed documentation on the agency's policies and procedures for managing IT investments, enterprise architecture, and human capital; we analyzed these against selected key practices from analytical frameworks that we have developed.[Footnote 6] For information security, we reviewed a 2008 inspector general report for the Department of Health and Human Services (HHS, FDA's parent department) on the agency's information security, which assessed FDA's compliance with the Federal Information Security Management Act of 2002.[Footnote 7] We did not audit specific projects to analyze how IT management policies and procedures were implemented. We conducted this performance audit from May 2008 through June 2009 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. For more details on our objectives, scope, and methodology, see appendix I. Results in Brief: Although FDA has ongoing projects and activities to modernize its IT systems and infrastructure, it does not yet have a comprehensive IT strategic plan to guide its modernization activities. In response to federal law and guidance and urgent mission needs, the agency is pursuing numerous modernization projects, many of which are in early stages (that is, planning and requirements development). These include at least 16 enterprisewide initiatives, such as MedWatch Plus--the development of a single portal for health organizations and the public to report adverse event[Footnote 8] information on FDA-regulated products. However, FDA does not have a comprehensive IT strategic plan to coordinate and manage these ongoing modernization initiatives. Such a plan would provide a comprehensive picture of what the organization seeks to accomplish, identify the strategies it will use to achieve desired results, provide results-oriented goals and performance measures that permit it to determine whether it is succeeding, and describe interdependencies within and across projects so that these can be understood and managed. FDA has developed two high-level planning documents that include some of these elements, but not all: * The agency's Strategic Action Plan provides high-level goals and objectives related to modernization of IT infrastructure and systems, but it does not provide details on specific IT initiatives, such as milestones and performance measures. * An IT plan for FDA's user fee program for drugs and biological products provides greater detail on specific IT initiatives, including milestones and goals, but these initiatives are only a subset of the agency's modernization projects.[Footnote 9] As reflected by its projects and high-level plans, FDA intends to address most of the limitations in its IT systems and infrastructure that had previously been identified by the agency's Science Board, its contractors, and us. However, successfully overcoming these limitations depends in part on the agency's developing and implementing appropriate plans. A comprehensive IT strategic plan, including results-oriented goals and performance measures, is vital for guiding and coordinating FDA's numerous, ongoing modernization projects and activities. Until the agency develops such a plan, the risk is increased that the modernization efforts may not adequately meet the agency's urgent mission needs. FDA has made mixed progress in establishing important IT management capabilities that will be essential in helping ensure a successful modernization. These capabilities include investment management, information security, enterprise architecture development, and human capital management. For example, FDA has policies in place for IT investment management, and according to a recent inspector general assessment, is making progress in addressing information security, although some problems remain. On enterprise architecture, although FDA officials report putting in place some elements for managing the agency's architecture efforts, FDA does not yet have an architecture that can be used to efficiently and effectively guide and constrain its modernization efforts. In particular, significant work remains on its "to be" architecture--a blueprint of where it wants to go in the future. Further, the agency is not strategically managing IT human capital--it has not determined its IT skills needs or analyzed gaps between skills on hand and future needs. In both these areas (enterprise architecture and human capital management), the agency's vision for the future, as captured in an IT strategic plan, would be an important asset. Without an effective enterprise architecture and human capital management that is based on a strategic vision for the agency's IT, FDA will reduce its assurance that it will be able to modernize effectively and will have the appropriate IT staff to effectively implement and support its modernization efforts. To help ensure the success of FDA's modernization efforts, we are recommending that the agency develop a comprehensive IT strategic plan, including results-oriented goals, strategies, milestones, performance measures, and an analysis of interdependencies among projects and activities, and use this plan to guide and coordinate its modernization projects and activities. We are also recommending that it prioritize and accelerate development of its enterprise architecture to ensure that its information systems projects appropriately support its plans for the future. Finally, we are recommending that the agency develop a skills inventory, needs assessment, gap analysis, and plan for filling skills gaps as part of a strategic approach to IT human capital planning. The Acting Commissioner of Food and Drugs[Footnote 10] provided written comments on a draft of this report (the comments are reproduced in app. II). In the comments, FDA generally agreed with our recommendations and identified actions initiated or planned to address them. For example, the agency stated that it intends to complete an IT strategic plan by the end of fiscal year 2009, and that it is documenting an enterprise architecture program management plan. The agency also provided technical comments to clarify our discussion of its IT budget, which we have incorporated as appropriate. Background: FDA's mission is to protect public health by ensuring the safety, efficacy, and security of human and veterinary drugs, biologic products, medical devices, our nation's food supply, cosmetics, and products that emit radiation. The agency is also responsible for advancing public health by helping to speed innovations that make medicines and foods more effective, safer, and more affordable and by helping the public get the accurate, science-based information it needs to use medicines and foods to improve health. FDA carries out its regulatory mission primarily through five main centers and its Office of Regulatory Affairs: * Center for Biologics Evaluation and Research. Regulates and evaluates the safety and effectiveness of biological products, such as blood and blood products, vaccines and allergenic products, and protein-based drugs. * Center for Devices and Radiological Health. Ensures that new medical devices are safe and effective before they are marketed and that radiation-emitting products, such as microwave ovens, TV sets, cell phones, and laser products meet radiation safety standards. * Center for Drug Evaluation and Research. Promotes and protects the health of Americans by ensuring that all prescription and over-the- counter drugs are safe and effective. * Center for Food Safety and Applied Nutrition. Ensures the safety of 80 percent of food consumed in the United States (it is responsible for everything except meat, poultry, and some egg products, which are regulated by the U.S. Department of Agriculture). * Center for Veterinary Medicine. Helps to ensure that animal food products are safe; also evaluates the safety and effectiveness of drugs used to treat more than 100 million companion animals. * Office of Regulatory Affairs. Works to ensure that FDA's health standards are properly implemented and adhered to through inspections, lab analysis, and public outreach. The agency relies extensively on IT to fulfill its mission and to support related administrative needs. FDA has systems dedicated to supporting the following major mission activities: * Reviewing and evaluating new product applications, such as for prescription drugs, medical devices, and food additives. These systems are intended to help FDA determine whether a product is safe before it enters the market. For example, the Document Archiving Retrieving and Regulatory Tracking System is intended to manage the drug and therapeutics review process. * Overseeing manufacturing sites and production supply chains to ensure that products comply with regulatory requirements. For example, the Field Accomplishments and Compliance Tracking System supports inspections, investigations, and compliance activities. * Monitoring the safety of products on the market by collecting and assessing adverse reactions to FDA-regulated products, such as illnesses due to food or negative reactions to drugs. For example, the Vaccine Adverse Event Reporting System accepts reports of adverse events that may be associated with U.S.-licensed vaccines from health care providers, manufacturers, and the public. In addition, the agency has systems performing administrative processes, such as payroll administration and personnel systems. All these systems are supported by an IT infrastructure that includes network components, critical servers, and multiple data centers. Appendix III provides additional details on the agency's mission- critical systems and infrastructure. The information that FDA receives is growing in volume and complexity. According to FDA, from 2001 to 2006, the number of import shipments that the agency inspected for admission into the United States increased from about 7 million imports reviewed annually to about 18 million. During this period, the number of adverse event reports and generic drug applications more than doubled. Advances in science and the increase in imports are also factors affecting the complexity of information that FDA receives. The ability of the agency's IT systems and infrastructure to accommodate this growth will be crucial to FDA's ability to accomplish its mission effectively. Previous Studies Have Highlighted Limitations of FDA's IT: FDA's IT has been the subject of numerous reports and studies, both by the agency itself and by others (see app. IV for a list of major reports and studies related to limitations of the agency's IT). These reports have noted limitations in a number of key areas, including data availability and quality, IT infrastructure, ability to use technology to improve regulatory effectiveness, and IT management. Data availability and quality: Issues with the quality and availability of FDA's data have been raised in several studies. In 2007, the FDA Science Board issued FDA Science and Mission at Risk,[Footnote 11] a broad assessment of challenges facing the agency. This study found that information was not easily and immediately accessible throughout the agency (including critical clinical trial data that were available only in paper form), hampering FDA's ability to regulate products. Data and information exchange was impeded because information resided in different systems that were not integrated. The Science Board also reported that FDA lacked sufficient standards for data exchanges, both within the agency and between the agency and external parties, reducing its capability to manage the complex data and information challenges associated with rapid innovation, such as new data types, data models, and analytic methods. In 2007, FDA commissioned Deloitte Consulting, LLP, to examine ways the agency could better meet increased demand for information and make decisions more quickly and easily.[Footnote 12] Deloitte noted that FDA's former decentralized approach to IT, in which the centers developed their own systems, led to duplicative work efforts, tools, and information. Noting that the agency had begun moving toward a more enterprisewide approach, Deloitte recommended further steps, including establishing enterprisewide information standards and incorporating data exchange standards into its day-to-day processes and applications in order to achieve interoperability with external partners. Our previous work also has identified issues related to the availability and quality of the agency's data. For example, our 1998 study of FDA's foreign drug inspection program cited evaluations that essential data for foreign inspections were not readily available, and that FDA did not have a comprehensive, agencywide, automated system for managing foreign inspection of manufacturers.[Footnote 13] Further, in a series of products (most recently in September 2008)[Footnote 14] on FDA inspections of foreign establishments, we reported that the agency's databases on these establishments contained incorrect information and that different databases had differing information. IT infrastructure: Issues raised regarding FDA's infrastructure include aging and redundancy. According to the FDA Science Board's 2007 report, the agency's IT infrastructure was outdated and unstable, and it lacked sufficient controls to ensure continuity of operations or to provide effective disaster recovery services. For example, as many as 80 percent of the network servers were more than 5 years old and had exceeded their recommended service life. In addition, the report stated that outages were occurring in other systems as well; for example, e- mail problems occurred during an E. coli food contamination investigation. Further, critical network components did not reside in data centers that provided the necessary security, redundancy, and continuity of operations assurances. In addition, after assessing the agency's legacy applications, FDA's contractor, High Performance Technologies, Inc., issued a report in 2008 that identified many systems that were redundant and could be combined with each other, as well as systems that could be retired. [Footnote 15] Ability to use technology to improve regulatory effectiveness: According to the FDA Science Board report, advances in science and technology have been outpacing the capabilities of FDA's IT infrastructure and systems. For example, although genetics and genome- wide association analyses are an increasingly important technique in drug reviews, the agency had minimal IT infrastructure to support genomics-focused efforts, which generate large data sets. To implement the real-time acquisition and sharing of genomics data would require the development of appropriate data storage, mining, analysis, and risk evaluation tools for FDA scientists. IT management: Issues with FDA's IT management have been found in several areas, including human capital, enterprise architecture, governance, and information security. In assessing IT human capital, the Science Board stated that the agency did not have sufficient IT staff with skills in such areas as capital planning/investment control and enterprise architecture, that processes for recruitment and retention of IT staff were inadequate, and that the agency did not invest sufficiently in professional development. Deloitte's study also commented on IT management, stating that FDA needed to develop both a common enterprise information management architecture and an IT architecture[Footnote 16] to facilitate both short-term operational gains such as improved information access, as well as long-term gains in strategic flexibility. In another study, the Breckenridge Institute examined the process being used to develop requirements for the agency's adverse event reporting system[Footnote 17] and found that FDA's management of requirements development did not follow proper IT methodology, such as documenting the reasons for changes to system requirements. Finally, in October 2008, an HHS inspector general report concluded that FDA had made progress implementing an infrastructure to support the security management program.[Footnote 18] However, the Inspector General also noted that the agency had not fully implemented a security program infrastructure[Footnote 19] and was not performing all the activities required to integrate security into applications. FDA Has Been Moving toward an Enterprisewide Approach to IT: Driven in part by the various studies that the agency has performed or sponsored (as discussed previously), as well as legislative requirements, FDA has been transitioning to an enterprisewide approach to IT management. For example, in February 2006 the agency created the Bioinformatics Board to replace center-specific investment review boards, in order to better coordinate its IT investment decisions from an agencywide perspective. According to the agency's Chief Information Officer (CIO), this broader perspective led to an increased emphasis on the need for FDA to treat its information as a strategic corporate asset and manage it accordingly. Among the steps taken to help achieve this goal were centralizing the IT organization and consolidating IT infrastructure. In May 2008, the agency transferred responsibility for managing IT from individual components (centers and the Office of Regulatory Affairs) to a new centralized Office of Information Management (OIM), headed by the CIO. The CIO reports to the agency's Chief Operating Officer. As head of OIM, the CIO is responsible for managing IT, creating a foundation to enhance the interoperability of its systems, and managing more than 400 staff assigned to this office. OIM has five divisions to carry out its responsibilities: * Division of Business Partnership and Support. Acts as liaison and provides management and technical consultation resources regarding IT to FDA offices, centers, and other stakeholders, including parties outside the agency. * Systems Division. Manages design, development, implementation, and maintenance of agency software applications and systems, as well as their integration with other entities. * Infrastructure Division. Manages design, development, implementation, and maintenance of the agency's IT infrastructure. * Division of CIO Support. Oversees internal IT management controls, such as its enterprise architecture, investment management, and human capital management. * Division of Technology. Reviews and evaluates the appropriateness of new and emerging information technologies for potential benefits. As part of its centralization efforts, FDA is transferring IT staff and assets from its components to the new centralized organization, and it is consolidating its IT infrastructure. Under one initiative, Information and Computer Technology for the 21st Century (ICT21), the agency is, for example, consolidating its data into two new data centers, one to host its production and preproduction systems and information, and the other to host system testing, development, and scientific computing needs. FDA's IT Budget: FDA's fiscal year 2009 budget totals about $2.67 billion and is derived both from the agency's annual appropriations and user fees. The appropriated budget authority is about $2.05 billion or 77 percent of funding, and user fees account for about $613 million or 23 percent of funding. FDA collects user fees primarily from companies that produce certain human drug and biologic products, as authorized by the Prescription Drug User Fee Act of 1992 (PDUFA).[Footnote 20] FDA's fiscal year 2009 IT budget is approximately $364 million, which is about 14 percent of the agency's total budget. The IT budget includes funds of $308.4 million for projects and systems and $55.2 million for federal employee salaries and expenses. The funding for projects and systems is derived from annual appropriations of $246.1 million and user fees of $62.3 million. The funding for federal employee salaries and expenses is derived from annual appropriations of $44.4 million and user fees of $10.8 million. According to data provided by FDA officials, the portion of FDA's fiscal year 2009 IT budget that funds IT projects and systems has increased from previous years. As shown in table 1, from fiscal year 2005 to fiscal year 2009, funding for projects and systems increased from $202.3 million in annual funding to $308.4 million. Table 1: FDA's IT Funding for Projects and Systems (Dollars in millions): Fiscal Year[A]: 2005; IT total: $202.3. Fiscal Year[A]: 2006; IT total: $192.4. Fiscal Year[A]: 2007; IT total: $230.7. Fiscal Year[A]: 2008; IT total: $231.9. Fiscal Year[A]: 2009; IT total: $308.4. Source: FDA. [A] According to FDA, the HHS portfolio expenditure reporting system, ProSight, is unable to provide individual year IT costs for the years 2005, 2006, and 2007. Thus, the agency provided estimates for these years, the actual figure for 2008, and an estimate for 2009. [End of table] According to the agency's CIO, during fiscal years 2008 and 2009, IT expenditures have focused on addressing limitations, such as updating the infrastructure, and on problems that could be immediately addressed, such as eliminating duplicative databases related to adverse event reporting. He added that in the future, FDA plans to focus on more long-term modernization projects for supporting the agency's regulatory responsibilities. Effective IT Management Is Key to Successful Modernization: Key to an agency's success in modernizing its IT systems, as our research and experience at federal agencies has shown, is institutionalizing a set of interrelated IT management capabilities, among which are: * strategic planning to describe an organization's goals, strategies it will use to achieve desired results, and performance measures; * developing and using an agencywide enterprise architecture, or modernization blueprint, to guide and constrain IT investments; * establishing and following a portfolio-based approach to investment management; * implementing information security management that ensures the integrity and availability of information; and: * building and sustaining an IT workforce with the necessary knowledge, skills, and abilities to execute this range of management functions. Figure 1 shows these capabilities, which are critical to enable organizations to manage IT effectively. Figure 1: Critical IT Management Capabilities: [Refer to PDF for image: illustration] Key components of effective information technology management: * IT strategic planning; * Information security management; * IT human capital management; * Enterprise architecture; * IT investment management. Source: GAO. [End of figure] The Congress and OMB have recognized the importance of these and other IT management controls. The Clinger-Cohen Act, for example, provides a framework for effective IT management[Footnote 21] that includes systems integration planning, human capital management, and investment management. In addition, the Paperwork Reduction Act requires that agencies have strategic plans for their information resource management,[Footnote 22] and the E-Government Act of 2002 contains provisions for improving the skills of the federal workforce in using IT to deliver government information and services.[Footnote 23] Further, OMB has issued guidance on integrated IT modernization planning and effective IT human capital and investment management. [Footnote 24] Establishing IT management capabilities involves carrying out specific practices. For example, human capital management requires assessing present and future agency skills needs and making a plan to fill gaps. We have developed methods of evaluating agencies' progress on these management capabilities, such as our IT Investment Management (ITIM) framework,[Footnote 25] Enterprise Architecture Management Maturity Framework,[Footnote 26] and framework for strategic human capital management.[Footnote 27] These frameworks list specific practices that an agency should use. We have observed that without these types of capabilities, organizations increase the risk that system modernization projects will (1) experience cost, schedule, and performance shortfalls and (2) lead to systems that are redundant and overlap. They also risk not achieving such aims as increased interoperability and effective information sharing. As a result, technology may not effectively and efficiently support agency mission performance and help realize strategic mission outcomes and goals. FDA Is Pursuing Systems Modernization, but It Has Not Developed an IT Strategic Plan to Guide Its Initiatives: FDA is pursuing numerous initiatives to modernize its IT systems and infrastructure, including at least 16 enterprisewide initiatives. However, it does not yet have a comprehensive IT strategic plan, with well-defined goals, strategies, milestones, and measures, to guide these efforts. According to the Chief Operating Officer, the agency must resolve many near-term planning activities and strategic investment decisions before it can complete long-term plans. Without a strategic plan to sequence and synchronize these initiatives based on a comprehensive picture of its strategic IT goals, the agency increases the risk that its modernization efforts will not be effective. Of FDA's numerous modernization initiatives, some began as a result of federal law and guidance (such as initiatives associated with PDUFA), and others in response to urgent mission requirements, including those pointed out in the various analyses of FDA's IT systems and infrastructure previously described. Table 2 lists 16 major modernization projects with an enterprisewide focus that are under way or planned. As the table shows, many of these projects are still in the early stages of the life cycle (that is, planning and requirements development). Table 2: FDA Major Modernization Efforts and Projects: Project: Automated Employee Processing; Description of intended functions and services: Ease information collection for human capital systems, particularly those where an employee joins, transfers, or leaves FDA; Life cycle phase: Planning; Planned completion: TBD. Project: Automated Laboratory Management; Description of intended functions and services: Facilitate communication between labs by creating an electronic environment based on a standardized format; Life cycle phase: Planning; Planned completion: 2013. Project: Common Electronic Document Room; Description of intended functions and services: Combine centers' Electronic Document Rooms to contain virtually all documents received and generated by FDA, improve access to those documents and metadata across center lines, and enhance the ability of agency reviewers and others to perform their jobs; Life cycle phase: Requirements development; Planned completion: 2010. Project: Consolidated Infrastructure; Description of intended functions and services: Provide IT services to 12,000 employees, including server management, telecommunications, and network; customer care and IT Helpdesk with on-site support; security operations; customer relationship management, planning and project management, and training efforts; Internet/intranet infrastructure management; and White Oak Data Center Consolidation; Life cycle phase: Operations and maintenance; Planned completion: NA. Project: FDA Advanced Submission and Tracking Review; Description of intended functions and services: Review new FDA IT systems to identify general-purpose IT components that support the core technical competency of multiple business processes. These IT components are to be reused in future systems to improve the consistency of systems and cost-efficient development; Life cycle phase: Requirements development; Planned completion: 2010. Project: FDA Adverse Event Reporting System (FAERS); Description of intended functions and services: Centralize back-end analysis part of adverse event reporting formerly done by the centers; Life cycle phase: Requirements development; Planned completion: 2010. Project: FDA Advisory Committee Tracking Reporting System; Description of intended functions and services: Implement a centralized, integrated, and fully electronic system that will significantly reduce current paper processes used to manage FDA advisory committees; Life cycle phase: Requirements development; Planned completion: TBD. Project: Financial Enterprise Solutions; Description of intended functions and services: Ensure that allocated public funds support the FDA mission with fiduciary integrity in compliance with applicable laws, accounting standards, and federal guidelines through administrative spending controls while reducing costs and improving efficiency of financial management processes; Life cycle phase: Mixed life cycle; Planned completion: Mixed. Project: Harmonized Inventory; Description of intended functions and services: Standardize about 20 IT systems that did not have standardized data and processes; establish and integrate standardized business processes and data elements throughout FDA; Life cycle phase: Mixed life cycle; Planned completion: 2013. Project: Information and Computer Technology for the 21st Century (ICT21); Description of intended functions and services: Replace FDA's outdated data centers with new production and test facilities, and establish a disaster recovery site; Life cycle phase: Implementation; Planned completion: Ongoing. Project: Janus; Description of intended functions and services: Develop standards-based scientific data exchange networks needed to ensure the quality, safety, and efficacy of products as defined by FDA's regulatory mandate; Life cycle phase: Planning; Planned completion: TBD. Project: MedWatch Plus; Description of intended functions and services: Establish a single portal for adverse event reporting with an improved user interface; Life cycle phase: Requirements development; Planned completion: 2010. Project: Mission Accomplishments and Regulatory Compliance Services (MARCS); Description of intended functions and services: Enhance eight legacy systems with functions including inspecting imports and collecting information on facilities; Life cycle phase: Planning; Planned completion: 2013. Project: Predictive Risk-based Evaluation for Dynamic Import Compliance Targeting (PREDICT); Description of intended functions and services: Create a risk-based import screening system to improve the efficiency and productivity of the inspection process through targeting high-risk imports; Life cycle phase: Mixed life cycle; Planned completion: TBD. Project: Regulated Product Submission; Description of intended functions and services: International effort to develop a single standard for electronic submission of information on regulated products, including food additives, medical devices, and veterinary products to regulatory authorities in FDA and others, including international agencies; Life cycle phase: Planning/Requirements development; Planned completion: TBD. Project: Sentinel; Description of intended functions and services: Provide a query capability to health-care-related organizations--including government, industry, and academia--and the public for the early identification of adverse events; Life cycle phase: Planning; Planned completion: TBD. Source: GAO analysis of FDA data. Note: In addition to modernization projects with an enterprisewide focus, FDA is pursuing projects that are specific to individual centers. Such center-specific projects are not included in the table. [End of table] In addition to these system and infrastructure development projects, FDA is taking actions to develop and enhance its IT management capabilities. That is, the agency is taking actions such as beginning to develop its enterprise architecture, gathering information on needed IT skills, and seeking contract support to improve application security and to analyze skills gaps. (FDA's IT management capabilities are further discussed later in this report.)[Footnote 28] However, even as it undertakes these various initiatives and activities, FDA does not yet have the necessary planning in place to guide its efforts. Although agency officials identified two high-level planning documents that address different aspects of the agency's IT environment, FDA lacks a comprehensive IT strategic plan, which is a foundation for effective modernization and is required by federal guidance.[Footnote 29] As we have previously reported, such a plan is to serve as the agency's IT vision or roadmap and help align its information resources with its business strategies and investment decisions. The plan might include the mission of the agency, key business processes, IT challenges, and guiding principles. A strategic plan is important to enable an agency to consider the resources, including human, infrastructure, and funding, that are needed to manage, support, and pay for projects. For example, a strategic plan that identifies what an agency intends to accomplish during a given period helps ensure that the necessary infrastructure is put in place for new or improved capabilities. In addition, a strategic plan that identifies interdependencies within and across individual IT systems modernization projects helps ensure that the interdependencies are understood and managed, so that projects--and thus system solutions-- are effectively integrated. In summary, an IT strategic plan would provide a comprehensive picture of what the organization seeks to accomplish, identify the strategies it will use to achieve desired results, provide results-oriented goals and performance measures that permit it to determine whether it is succeeding, and describe interdependencies within and across projects so that these can be understood and managed. However, FDA has not yet developed such a plan, although it does have two high-level planning documents--the agency's Strategic Action Plan and the PDUFA IV IT Plan (PDUFA plan). Even in combination, however, the two plans do not have the scope and depth of an IT strategic plan: the first does not treat IT initiatives in depth, and the second is not an agencywide plan. Although these two plans include some elements of an IT strategic plan, they do not include all. FDA's Strategic Action Plan, approved in fall 2007, does not include all IT projects or their associated performance measures, milestones, and interdependencies, although it does include strategic goals and objectives. Specifically, the plan describes four major strategic goals for the agency along with subsidiary implementation objectives, some of which identify IT initiatives (table 3 shows these major goals, objectives, and initiatives). As an overall agency plan, the Strategic Action Plan includes initiatives related to the agency's major strategic goals, but it does not include performance measures or milestones for those initiatives. In addition, it does not include certain IT initiatives; for example, the PREDICT initiative, described in table 2, is a major initiative not mentioned in the Strategic Action Plan. Further, it does not identify interdependencies within and across individual IT modernization projects to ensure that they are understood and managed appropriately. For example, FDA has several ongoing projects that are developing data standards, including Regulated Product Submission, Harmonized Inventory, and Automated Laboratory Management. A well-designed IT strategic plan would document any interdependencies in such related projects. Table 3: IT Initiatives in Strategic Action Plan, by Strategic Goal: Strategic goal: Strengthen FDA for Today and Tomorrow; Objectives and associated IT initiatives: Objective to strengthen FDA's base of operations identifies initiatives to: * assemble agencywide IT teams to facilitate cross-center approach to systems that perform similar functions; * enhance IT infrastructure through transformation initiative and create foundation for agencywide interoperability; * create essential computational tools for FDA scientists and professionals to strengthen product development and approval, and; * deliver new information technologies to accelerate and transform FDA operations. Strategic goal: Improve Patient and Consumer Safety; Objectives and associated IT initiatives: Objective to improve information systems for problem detection and public communication about product safety identifies initiatives to: * develop tools and methods for active postmarket surveillance; * seek access to databases that will identify a full array of safety problems; * create a single Web-based portal for reporting adverse events, and; * expand FDA staff's real-time access to information related to crises and emergencies by extending the deployment of an incident management system throughout the agency; Objective to provide patients and consumers with better access to clear and timely risk-benefit information for medical products identifies an initiative to: * publish an electronic newsletter with summaries of the results of drug reviews. Strategic goal: Increase Access to New Medical and Food Products; Objectives and associated IT initiatives: Objective to improve the medical product review process to increase the predictability and transparency of decisions using the best available science identifies initiatives to: * integrate information about premarket decisions on medical devices into a single, comprehensive tracking warehouse that all staff can access; * implement an electronic drug review process in collaboration with the National Cancer Institute; and; * pilot test and evaluate a Web-based tracking system for premarket review of medical devices; Objective to increase access to safe and nutritious new food products identifies an initiative to: * upgrade system and related databases for reviewing food ingredient submissions. Strategic goal: Improve the Quality and Safety of Manufactured Products and the Supply Chain; Objectives and associated IT initiatives: Objective to detect safety problems earlier and better target interventions to prevent harm to consumers identifies an initiative to: * develop advanced analytic tools (artificial intelligence, data mining, and risk-based modeling) to prioritize inspections and compliance work, including import screening; Objective to respond more quickly and effectively to emerging safety problems, through better information, better coordination, and better communication identifies an initiative to: * harmonize and modernize the information management and business processes for tracking regulated establishments and products. Source: GAO analysis of FDA data. [End of table] The PDUFA plan, published in July 2008, does focus on IT, and it provides details on goals, initiatives, and milestones, as well as performance measures. The plan includes several sections addressing current FDA IT goals and strategies. For example, it discusses detailed measures to create data standards to be used throughout the agency for regulatory submissions, and it describes the responsibilities of a Data Standards Council, which coordinates standards with data provider organizations. However, this document is not a comprehensive plan for the agency's IT because it addresses only those IT initiatives that are related to user fee programs (which cover drugs and biologics). Further, it does not include an assessment of interdependencies among projects. Thus, although the Strategic Action Plan and PDUFA plan contain elements that would be included in an IT strategic plan, neither provides the comprehensive coverage of FDA's goals and activities that a well-crafted IT strategic plan would provide. FDA officials agreed that the current plans do not include all the elements required for an IT strategic plan. The CIO said that the agency is aware of the importance of having such a plan and intends to develop one. However, according to the Chief Operating Officer, the agency must resolve many near-term planning activities and strategic investment decisions before it can complete long-term systems development plans. He stated that FDA is still working on its vision for modernizing IT infrastructure and services and how to incorporate that vision into an IT strategic plan. Accordingly, FDA has not defined either milestones or a completion date for an IT strategic plan. FDA's Projects and Plans Are Intended to Address Most Previously Identified Limitations: As reflected by its projects and high-level plans, FDA intends to address most of the limitations in its IT systems and infrastructure that had been previously identified by the agency's Science Board, its contractors, and us. Table 4 provides an overview of the limitations along with related projects and activities that the agency is planning or currently undertaking. The table also shows which identified limitations are discussed in the two high-level planning documents mentioned earlier (the agency's Strategic Action Plan and the PDUFA plan). Addressing these limitations in plans and projects does not guarantee that the limitations will be successfully overcome, but it does indicate that they are receiving management attention. Table 4: FDA Projects, Activities, and Plans Intended to Address Identified Limitations: Data availability and quality: Identified limitation: FDA lacks the ability to adequately access, collect, store, and mine data, much of which is still paper-based. Lack of data impairs FDA's ability to perform analyses that may yield important insights for products under review or on the market; Intent to address limitation reflected in: Associated project or activity[A]: Common Electronic Document Room, FAERS, Harmonized Inventory, MedWatch Plus, Regulated Product Submission; Intent to address limitation reflected in: Strategic Action Plan: Plan addresses limitations; Intent to address limitation reflected in: PDUFA plan: Plan addresses limitations. Identified limitation: FDA cannot seamlessly integrate and exchange internal and external data, because it lacks sufficient data standards; Intent to address limitation reflected in: Associated project or activity[A]: Harmonized Inventory, FAERS, Janus, center-specific PDUFA project[B]; Intent to address limitation reflected in: Strategic Action Plan: Plan addresses limitations; Intent to address limitation reflected in: PDUFA plan: Plan addresses limitations. Identified limitation: FDA's current critical information supply chains suffer from inefficiencies, such as the inability to communicate with external partners, leading to missed opportunities to access and use data effectively; Intent to address limitation reflected in: Associated project or activity[A]: Sentinel, Common Electronic Document Room; Intent to address limitation reflected in: Strategic Action Plan: Plan addresses limitations; Intent to address limitation reflected in: PDUFA plan: Plan addresses limitations. Identified limitation: FDA's database systems do not provide an accurate count of foreign establishments subject to inspection, and thus FDA does not know the number or percentage of inspected establishments. Inconsistencies such as these in its databases have prevented FDA from ensuring compliance with corrective items from inspections that highlighted serious deficiencies; Intent to address limitation reflected in: Associated project or activity[A]: MARCS; Intent to address limitation reflected in: Strategic Action Plan: Plan addresses limitations; Intent to address limitation reflected in: PDUFA plan: Plan does not address limitations. Identified limitation: FDA's ability to develop media to communicate with industry and consumers (such as through advanced Web tools) is not adequate; Intent to address limitation reflected in: Associated project or activity[A]: A committee has been established to explore options; Intent to address limitation reflected in: Strategic Action Plan: Plan does not address limitations; Intent to address limitation reflected in: PDUFA plan: Plan does not address limitations. IT infrastructure: Identified limitation: The FDA IT infrastructure is obsolete and unstable. Critical network components are not centralized in data centers that would provide necessary security, redundancy, and continuity of operations; Intent to address limitation reflected in: Associated project or activity[A]: ICT21; Intent to address limitation reflected in: Strategic Action Plan: Plan addresses limitations; Intent to address limitation reflected in: PDUFA plan: Plan addresses limitations. Identified limitation: FDA's information infrastructure does not sufficiently support current regulatory scientific or operational needs; Intent to address limitation reflected in: Associated project or activity[A]: ICT21; Intent to address limitation reflected in: Strategic Action Plan: Plan addresses limitations; Intent to address limitation reflected in: PDUFA plan: Plan addresses limitations. Ability to use technology to improve regulatory effectiveness: Identified limitation: FDA and other stakeholders cannot perform inspection, remote monitoring, or sensing for contaminants in regulated products at manufacturing sites or in transportation vehicles; Intent to address limitation reflected in: Associated project or activity[A]: No associated project or activity identified; Intent to address limitation reflected in: Strategic Action Plan: Plan does not address limitations; Intent to address limitation reflected in: PDUFA plan: Plan does not address limitations. Identified limitation: FDA does not have the capability for predictive, risk-based surveillance and targeting; Intent to address limitation reflected in: Associated project or activity[A]: PREDICT; Intent to address limitation reflected in: Strategic Action Plan: Plan does not address limitations; Intent to address limitation reflected in: PDUFA plan: Plan does not address limitations. Identified limitation: FDA does not have capabilities in the areas of information sciences and infrastructure to deliver critical innovations in IT to keep up with rapidly evolving science and technology; Intent to address limitation reflected in: Associated project or activity[A]: Automated Laboratory Management, ICT21, Janus; Intent to address limitation reflected in: Strategic Action Plan: Plan addresses limitations; Intent to address limitation reflected in: PDUFA plan: Plan addresses limitations. Identified limitation: The laboratory community at FDA lacks the necessary specialized computing infrastructure and tools, such as a segregated network for increased security; Intent to address limitation reflected in: Associated project or activity[A]: Automated Laboratory Management, Janus; Intent to address limitation reflected in: Strategic Action Plan: Plan addresses limitations; Intent to address limitation reflected in: PDUFA plan: Plan does not address limitations. IT management: Identified limitation: FDA is not integrating security into applications; Intent to address limitation reflected in: Associated project or activity[A]: Centralized security program, new support contract; Intent to address limitation reflected in: Strategic Action Plan: Plan does not address limitations; Intent to address limitation reflected in: PDUFA plan: Plan does not address limitations. Identified limitation: FDA does not have a complete enterprise architecture (EA); Intent to address limitation reflected in: Associated project or activity[A]: Building of EA begun, including planning documents; Intent to address limitation reflected in: Strategic Action Plan: Plan does not address limitations; Intent to address limitation reflected in: PDUFA plan: Plan does not address limitations. Identified limitation: FDA's IT staffing is not sufficient to support current regulatory scientific or operational needs or to perform IT management activities; Intent to address limitation reflected in: Associated project or activity[A]: Analysis of staffing needs begun[C]; Intent to address limitation reflected in: Strategic Action Plan: Plan does not address limitations; Intent to address limitation reflected in: PDUFA plan: Plan does not address limitations. Identified limitation: FDA has inadequate processes for the recruitment and retention of IT staff; Intent to address limitation reflected in: Associated project or activity[A]: No associated project or activity identified; Intent to address limitation reflected in: Strategic Action Plan: Plan does not address limitations; Intent to address limitation reflected in: PDUFA plan: Plan does not address limitations. Identified limitation: FDA does not have an effective performance measurement program; Intent to address limitation reflected in: Associated project or activity[A]: No associated project or activity identified[D]; Intent to address limitation reflected in: Strategic Action Plan: Plan does not address limitations; Intent to address limitation reflected in: PDUFA plan: Plan does not address limitations. Identified limitation: FDA does not invest sufficiently in professional development. The IT training budget is low; Intent to address limitation reflected in: Associated project or activity[A]: Reported increase in training budget[E]; Intent to address limitation reflected in: Strategic Action Plan: Plan does not address limitations; Intent to address limitation reflected in: PDUFA plan: Plan addresses limitations[F]. Source: GAO analysis of FDA data. [A] Project descriptions and abbreviations are provided in table 2. [B] The PDUFA plan also includes center-specific projects relevant to this limitation. [C] OIM is beginning to gather information on workforce needs and has drafted a task order for a skills gap analysis. In addition, governance boards (Bioinformatics Board and Business Review Boards) have been created and staffed. [D] No activities are planned because FDA officials stated that the agency has effective performance measurement. [E] FDA officials did not provide specific figures to support this statement. [F] The plan mentions training, although only for standards development activities. [End of table] As the table shows, FDA intends to address most of the previously identified limitations in its IT systems, infrastructure, and management. That is, of the 17 limitations in the table, 14 are associated with projects, activities, or plans. For example, to address IT infrastructure limitations, the ICT21 project is, among other things, replacing outdated data centers.[Footnote 30] To address limitations in the agency's ability to handle data and make the data available, the Common Electronic Document Room project is to digitize data formerly available only in paper form, as well as establish a single repository for all regulatory documents (replacing separate document repositories at FDA's centers). Further, to increase the agency's ability to use technology to improve regulatory effectiveness, the PREDICT project is to provide the capability for predictive, risk- based surveillance of imported food. That is, it is to assist FDA inspectors in deciding which shipments of imported food to inspect by using a rule-based expert system to assess information from multiple sources and determine which shipments carry the highest risk.[Footnote 31] However, FDA is not addressing 3 of 17 limitations. For example, the agency does not have projects, activities, or plans to address its inability to perform inspections, remote monitoring, or sensing for contaminants in regulated products at manufacturing sites or in transportation vehicles. According to FDA officials, an initial investigation of the possible use of RFID (radio frequency identification) tags to allow remote monitoring to prevent drug counterfeiting was not successful. Agency officials indicated that remote sensing was currently not a high priority. In addition, the agency does not plan to address two previously identified limitations in IT management (this topic is discussed in the next section). Further, although these projects, activities, and high-level plans [Footnote 32] are intended to address most of the limitations, successfully overcoming the limitations depends in part on the agency's developing and implementing appropriately detailed plans. FDA is taking steps to respond to the need to modernize its IT systems and infrastructure, but the number and range of its activities are further evidence of the importance of a comprehensive IT strategic plan to guide and coordinate them. Such a plan would allow FDA to integrate the planning for all of its modernization projects, including setting priorities, allocating resources, and accounting for dependencies. At the same time, it would provide a roadmap for improving FDA's IT management capabilities, which would decrease the risk that the agency's modernization initiatives will not achieve their goals or deliver planned capabilities on time and within budget. FDA Has Made Mixed Progress in Key IT Management Practices: An agency's chance of success in modernizing its IT systems is improved if it institutes critical IT management capabilities, including strategic planning (discussed in the previous section), investment management, information security, enterprise architecture, and human capital.[Footnote 33] Although FDA is making progress in these areas, it has considerable work to do. It is building necessary capabilities in investment management and information security, but it continues to have information security deficiencies, and important elements of its enterprise architecture are not in place. Finally, it is not effectively managing its IT human capital. Without these management capabilities in place, FDA increases the risk that its modernization efforts will not deliver required system capabilities and expected mission value on time and within budget. FDA Has Implemented an Investment Management Structure and Processes: IT investment management links investment decisions to an organization's strategic objectives and business plans. The Clinger- Cohen Act requires an agency to, among other things, select and control IT projects as investments in a manner that minimizes risks while maximizing the return. Projects are seen as investments and are selected and managed on the basis of cost, benefit, risk, and organizational priorities by an investment board made up of senior agency managers. * To select an investment, the organization (1) identifies and analyzes each project's risks and returns before committing significant funds to any project and (2) selects those IT projects that will best support its mission needs. The selection process should take account of the specific business needs addressed by each project and should use the agency's enterprise architecture. * Once a project is under way, the organization manages project schedules, costs, benefits, and risks to ensure that the project meets mission needs within cost and schedule expectations. Our ITIM framework[Footnote 34] for assessing investment management maturity includes foundational processes for selecting projects and for managing them at the project level, such as establishing an investment review board, developing an investment selection process, and overseeing the progress of individual projects. FDA has made progress in implementing selected foundational processes, as described below. Selecting IT investments. FDA has put in place several important practices cited in our ITIM framework, including establishing an investment review board and developing an investment selection process: * In February 2006, the agency created an IT investment review board-- the Bioinformatics Board. The board has broad responsibilities, including approving all IT budget execution decisions; overseeing business decisions on priority, planning, and execution of agency cross- cutting automation projects; directing the related business process analyses; and overseeing planning activities to ensure coordination. Members of the board are senior officials: It is co-chaired by two Deputy Commissioners--the Chief Operating Officer and the Chief Medical Officer. * FDA has established Business Review Boards, representing core agencywide business areas, as standing subcommittees of the Bioinformatics Board. The Business Review Boards, among other things, act as the agencywide "business sponsor" of new systems development, provide oversight and direction of the work being performed on IT systems and projects within their defined areas, and prepare and present proposals to the Bioinformatics Board for review and approval. * FDA has documented criteria for evaluating prospective projects, such as public health impact, cost savings, and whether the project is agencywide. Bioinformatics Board members told us that the Business Review Boards use these criteria and others specified by the Bioinformatics Board, such as budget considerations. Oversight and project management. As part of an effective IT investment process, an agency must be able to control its investments--manage its projects--so that they finish predictably within established schedule and budget. To accomplish this, agencies should have policies and procedures for oversight and should provide adequate resources, such as managers and staff responsible for monitoring projects. In the absence of predictable, repeatable, and reliable investment control processes, investments will be subject to a higher risk of failure.[Footnote 35] FDA's Business Review Boards and Bioinformatics Board are responsible for overseeing projects. The Business Review Boards are responsible for day-to-day oversight of projects, for providing status reports, and for elevating problems to the Bioinformatics Board as needed. In the oversight area, the Bioinformatics Board reviews status reports and makes decisions on problems elevated by the Business Review Boards. FDA also has put in place a policy framework to manage its projects effectively. For example: * FDA has created a project management office to assess and improve project management, standardize project management practices, improve communication so that senior executives and stakeholders know program and project status, and centralize and coordinate the management of IT programs and projects. The agency also has a staff of trained project managers and has assigned project managers to most of its modernization projects. * FDA has a documented project monitoring and control process intended to track progress so that appropriate corrective actions can be taken when the project's performance deviates significantly from the baseline project management plan. It defines tasks to be performed by the project manager--such as tracking progress and managing risk--and identifies supporting tools. This process, if appropriately implemented, provides FDA with a foundation for an effective project management capability.[Footnote 36] FDA Is Making Progress on Addressing Information Security Issues, but Risks Remain: Information security is critically important for federal agencies, where the public's trust is essential, and poor information security can have devastating consequences. Since 1997, we have identified information security as a governmentwide high-risk issue in each of our biennial reports to the Congress.[Footnote 37] Concerned by reports of significant weaknesses in federal computer systems, the Congress passed the Federal Information Security Management Act of 2002 (FISMA), which requires agencies to develop and implement an information security program, evaluation processes, and annual reporting. FDA's most recent FISMA results indicate that the agency has made progress on information security but that problems remain. The 2008 FISMA audit by the HHS Inspector General found that FDA continued to make progress in implementing an infrastructure to support security management. However, the report cited 78 deficiencies in seven categories, including infrastructure, integrating security into applications, network management, and personnel security. In response to the Inspector General's report, FDA's CIO reported that the agency has conducted a comprehensive security review and made major changes to its information security program. According to the CIO, it has a new IT security program that is consolidated at the agency level and will provide consistent, centralized support across the agency. In addition, the agency has awarded a new contract for security services, and it is taking steps to address the Inspector General's specific concerns. However, FDA is not addressing all of the Inspector General's findings, because it believes it already meets the requirements for several of the controls found to be deficient. Security issues could be a challenge for FDA's modernization plans; the Common Electronic Document Room, for example, will need to securely keep confidential records, trade secrets, and classified materials. Effective information security is essential to prevent data tampering, disruptions in critical operations, fraud, and unauthorized access or disclosure of sensitive information. FDA Has Not Developed an Architecture to Effectively Guide and Constrain Its Projects: An agency's enterprise architecture describes both its business operations and the technology it uses to carry out those operations. It is a blueprint for organizational change defined in models that describe (in both business and technology terms) how an entity operates today and how it intends to operate in the future; it also includes a plan for transitioning to this future state. For example, it discusses interrelated business processes and business rules, information needs and flows, and work locations and users. Technical topics include hardware, software, data, communications, security attributes, and performance standards. It provides these perspectives both for the enterprise's current or "as is" environment and for its target or "to be" environment, as well as a transition plan for moving from the "as is" to the "to be" environment. We have developed our Enterprise Architecture Management Maturity Framework to provide federal agencies with a common benchmarking tool for planning and measuring their efforts to improve enterprise architecture management.[Footnote 38] Like the ITIM, it provides a five- stage hierarchy of core management elements that agencies should perform to manage enterprise architecture development, maintenance, and implementation. The initial core elements for building the enterprise architecture foundation focus on building a management foundation; for example, one of these core elements is the organization's recognizing that an enterprise architecture is a corporate asset by vesting accountability for it in an executive body that represents the entire enterprise. At this stage, an organization also assigns management roles and responsibilities and establishes plans for developing enterprise architecture products and for measuring program progress and product quality; it also commits the resources necessary for developing an architecture--people, processes, and tools. In addition, the organization develops a documented enterprise architecture program management plan, describing in detail the steps to be taken and tasks to be performed in managing the program, including a detailed work breakdown and estimates for funding and staffing. According to FDA, it has taken several initial steps toward building an enterprise architecture management foundation, such as: * establishing a committee or group representing the enterprise that is responsible for enterprise architecture, * establishing a program office responsible for enterprise architecture, and: * designating a Chief Architect. However, according to the chief architect, FDA has not developed the program management plan that our framework characterizes as essential to ensuring that the enterprise architecture is effectively and efficiently developed. Beyond establishing an enterprise architecture management foundation, FDA has not yet developed architecture artifacts at the depth and breadth associated with a well-defined enterprise architecture. According to FDA's Chief Architect and other officials, they are currently modeling the agency's existing business processes and the data exchanges among existing processes as part of an HHS-wide modeling effort. Further, the agency has a listing of its current systems and the business processes that they support. However, no other "as is" artifacts were available. For the "to be," the Chief Architect stated that they have developed an initial version of the "to be" architecture and have completed a transition plan for moving from the "as is" to the "to be." However, they could not provide either the "to be" architecture artifacts that we requested or the enterprise transition plan. According to relevant guidance and best practices,[Footnote 39] the transition plan should provide a road map for moving from the "as is" to the "to be" environment. To facilitate its enterprise architecture efforts, FDA is using an approach called segment architecture.[Footnote 40] A segment architecture allows for the details needed to implement an enterprise architecture to be built in piece by piece. First a corporate layer of architecture is built that sufficiently reflects, among other things, those policies, rules, and standards that apply across the whole enterprise; then the more specific content needed to implement the enterprise architecture on a segment-by-segment basis is added. The segment architecture extends the enterprisewide layer, providing additional detail and depth needed to implement project and IT solutions. Accordingly, segment architectures do not stand alone. FDA has begun building segments before it has a well-defined enterprise architecture and before it has prioritized its segments. According to the Federal Enterprise Architecture Practice Guide, prioritizing segments should precede building them. Once prioritization is completed, the agency should define (1) the scope and strategic intent of each segment, (2) business and information requirements, and (3) the conceptual solution architecture.[Footnote 41] FDA has identified 26 segments in all (for example, product safety, risk analysis, scientific analysis, and external partnerships), but it has not yet prioritized them. According to FDA, its enterprise architecture staff are currently working to define a standard set of criteria that the Bioinformatics Board is to use to set priorities for the remaining segments. Although FDA has not prioritized its segments, it has, according to officials, completed the architecture for one segment--product safety- -including an "as is," "to be," and transition plan. According to the Chief Architect, the completed product safety segment architecture describes the scope and strategic intent of the segment, defines business and information requirements, and includes a description of the solutions architecture. According to FDA officials, this architecture has been sent to HHS for approval. However, they could not provide documentation of the completed segment. Attempting to define and build major IT systems without first completing either an enterprisewide architecture and, where appropriate, the relevant segment architecture is risky. According to the Federal Enterprise Architecture Practice Guide, prioritizing segments should precede building them, and developing the segment architecture should take place before an agency executes projects. FDA has identified three modernization projects as being within the product safety segment: MedWatch Plus, FAERS, and Harmonized Inventory. Thus, the other 13 major modernization projects are proceeding without the guidance and constraint of an enterprise or segment architecture. For example, some projects outside the product safety segment--such as the Common Electronic Document Room and PREDICT--that will need to use data from multiple sources may not be able to exchange data seamlessly with future systems. Similarly, a recent FDA study to identify existing applications with potential for agencywide use said it could not make definitive recommendations without a "to be" architecture. Also, going forward, further development of a "to be" enterprise architecture could be hindered by the lack of an IT strategic plan, since an enterprise architecture must align with an organization's strategic planning. As long as the architectural context for its enterprise architecture and segment architectures lags behind its modernization projects, FDA increases the risk that its modernization solutions will not be defined, developed, and deployed in a way that promotes interoperability, maximizes shared reuse, and minimizes overlap and duplication. FDA Has Begun Steps for Strategically Managing IT Human Capital, but Critical Activities Remain: The success or failure of federal programs, like those of other organizations, depends on having the right number of people with the right mix of knowledge and skills. In our past work, we have found that strategic human capital management is essential to the success of any organization.[Footnote 42] Strategic human capital management focuses on two principles that are critical in a modern, results-oriented management environment: * People are assets whose value can be enhanced through investment. * An organization's human capital approaches must be aligned to support the mission, vision for the future, core values, goals and objectives, and strategies by which the organization has defined its direction. In our model of strategic human capital management and our report on principles for strategic workforce planning,[Footnote 43] we lay out principles for managing human capital. Strategic workforce planning involves determining the critical skills and competencies needed to achieve current and future program results (these should be linked to long-term goals), analyzing the gaps between current skills and future needs, and developing strategies for filling gaps. Figure 2 shows the process of planning for workforce needs and the need for ongoing gap analyses based on program goals. Figure 2: Strategic Workforce Planning Process: [Refer to PDF for image: illustration] Organizational Mission: 1) IT program goals and execution; 2) Forecast of future workforce needs; 3) Gap Analysis; 4) Initiatives to address capability gap; 5) Inventory of existing workforce capabilities: returns information to Gap analysis and IT program goals and execution. Source: GAO. [End of figure] FDA is not yet strategically managing its IT workforce, although it is taking some steps to address its IT human capital limitations. (As described in table 4, previously identified limitations include insufficient IT workforce and lack of investment in staff development.) For example, officials told us they have substantially increased the training budget this year for IT staff, although they could not provide actual dollar figures. Further, because the centers' IT staffs have been centralized into the new Office of Information Management, IT human capital planning can be done centrally by the CIO. However, FDA has not yet inventoried the IT skills of its current IT workforce, determined present or future skills needs, or analyzed gaps. (A senior official said these activities were not undertaken because the centralization was too recent.) The CIO said that the agency is drafting a work order for an IT skills gap analysis, and agreed that the IT function is still understaffed. Even in the absence of an inventory, FDA officials were able to cite some skills areas as currently in short supply, such as project managers and network engineers. Finally, as mentioned earlier, the agency does not yet have an IT strategic plan; having a plan that describes future activities would improve the agency's ability to accurately project its future staff and skill needs. Until it begins managing IT human capital strategically, FDA cannot be assured that it will have the workforce it needs to carry out its modernization projects. Conclusions: FDA is undertaking a variety of activities to address IT limitations that have hampered its mission, many of which the agency describes as urgent and some (such as PDUFA investments) as a result of federal laws and guidance. To help ensure that these important efforts are successful, the agency would be assisted by the kind of strategic view of its modernization initiatives provided by an appropriately comprehensive IT strategic plan. However, FDA does not have such a plan guiding its modernization efforts. FDA's current agencywide plans lack many of the elements associated with a comprehensive IT strategic plan, such as strategies for managing the interdependencies among projects. In its modernization initiatives, FDA is taking steps to improve IT management. That is, it has begun implementing an enterprisewide approach to IT management, and it has put into place a foundation for investment management. However, FDA has weaknesses in certain IT management capabilities, including enterprise architecture, human capital, and security. Unless it further develops its enterprise architecture, the agency increases the risk that projects will not fully meet its strategic mission requirements, will be duplicative, and will not be integrated. In addition, the lack of a developed IT human capital management process increases the risk that projects will fail and that activities will continue to be hampered by a shortage of appropriately skilled staff. Finally, to address information security risks, the agency will need to ensure that it responds appropriately to the recommendations made by the HHS Inspector General. Recommendations for Executive Action: To help ensure the success of FDA's modernization efforts, we recommend that the Commissioner of FDA require the CIO to take expeditious actions to: * set milestones and a completion date for developing a comprehensive IT strategic plan, including results-oriented goals, strategies, milestones, performance measures, and an analysis of interdependencies among projects and activities, and use this plan to guide and coordinate its modernization projects and activities; * develop a documented enterprise architecture program management plan that includes a detailed work breakdown of the tasks, activities, and time frames associated with developing the architecture, as well as the funding and staff resources needed; * complete the criteria for setting priorities for the segment architecture and prioritize the segments; * accelerate development of the segment and enterprise architecture, including "as is," "to be," and transition plans, and in the meantime develop plans to manage the increased risk to modernization projects of proceeding without an architecture to guide and constrain their development; and: * develop a skills inventory, needs assessment, and gap analysis, and develop initiatives to address skills gaps as part of a strategic approach to IT human capital planning. Agency Comments and Our Evaluation: The Acting Commissioner of Food and Drugs provided written comments on a draft of this report (the comments are reproduced in app. II). In the comments, FDA generally agreed with our recommendations and identified actions initiated or planned to address them. On developing a comprehensive IT strategic plan, for example, the agency stated that its efforts included performing a high-level analysis of FDA's most immediate needs and priorities, and taking a longer-range view of the functionalities and capabilities it will need in the coming years. The agency added that it intends to complete a draft plan by the end of fiscal year 2009. In addition, with regard to its enterprise architecture, the agency stated that it was currently documenting a program management plan. It also indicated that it will use its ITIM processes to identify risks to its projects and programs and help ensure that they adhere to the agency's "to be" architecture. Further, on developing a strategic approach to IT human capital planning, FDA stated that it plans to assess workforce needs, develop hiring plans based on the needs, and survey staff to identify their concerns with the organizational environment. The agency's completion of the activities described, as well as other necessary actions to implement our recommendations, should increase the likelihood that FDA's modernization projects and activities will accomplish their intended goals. In addition, the agency provided technical comments to clarify our discussion of its IT budget, which we have incorporated as appropriate. We are sending copies of this report to the Commissioner of the Food and Drug Administration, appropriate congressional committees, and other interested parties. In addition, the report is available at no charge on the GAO Web site at [hyperlink, http://www.gao.gov]. Should you or your staffs have questions on matters discussed in this report, please contact me at (202) 512-6304 or melvinv@gao.gov. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this report. GAO staff who made major contributions to this report are listed in appendix V. Signed by: Valerie C. Melvin: Director, Information Management and Human Capital Issues: List of Congressional Requesters: The Honorable Edward M. Kennedy Chairman Committee on Health, Education, Labor, and Pensions United States Senate: The Honorable Charles E. Grassley: Ranking Member: Committee on Finance: United States Senate: The Honorable Henry A. Waxman: Chairman: The Honorable Joe Barton: Ranking Member: The Honorable John D. Dingell: Chairman Emeritus: Committee on Energy and Commerce: House of Representatives: The Honorable Bart Stupak: Chairman: The Honorable Greg Walden: Ranking Member: Subcommittee on Oversight and Investigations: Committee on Energy and Commerce: House of Representatives: [End of section] Appendix I: Objectives, Scope, and Methodology: Our objectives were to (1) evaluate the Food and Drug Administration's (FDA) overall plans for modernizing its systems, including the extent to which the plans address identified limitations or inadequacies in the agency's information technology (IT) capabilities, and (2) assess to what extent the agency has put in place key IT management policies and processes to guide the implementation of its modernization projects. To evaluate FDA's overall plans for modernizing its IT systems, we examined criteria for strategic plans in guidance from the Office of Management and Budget (OMB),[Footnote 44] legislation (the Clinger- Cohen Act),[Footnote 45] and our previous reports.[Footnote 46] We analyzed studies of FDA's IT conducted in the last several years to identify core limitations. We requested and received documentation from FDA on its agencywide modernization projects, including descriptions of their purpose and project summary status reports showing their expected completion dates and other milestones. We then analyzed these documents to determine which IT limitations these projects were intended to address. We analyzed the agency's two main high-level planning documents that address IT, the agency's Strategic Action Plan and the Prescription Drug User Fee Act (PDUFA) IV IT Plan, to determine whether they included elements of an IT strategic plan. We also assessed whether these plans were addressing IT limitations by analyzing whether they included strategies to address each limitation, and whether the plan included one or more projects intended to address each limitation. However, we did not assess the degree to which each limitation was addressed by FDA's activities. Finally, we attended information sessions given by a contractor and an FDA inspector on one of the agency's major initiatives--the Predictive Risk-based Evaluation for Dynamic Import Compliance Targeting (PREDICT) system--to gain understanding of the methodology and plans for implementing the system. To assess the IT management guiding the implementation and management of FDA's modernization projects, we focused on key areas--investment management (including project management), information security, enterprise architecture development, and human capital management. We looked at whether policies or processes were in place for IT investment management, enterprise architecture, and human capital. We based our analysis on three frameworks: our Information Technology Investment Management (ITIM) framework,[Footnote 47] our Enterprise Architecture Management Maturity Framework,[Footnote 48] and our framework for strategic human capital management.[Footnote 49] * The ITIM framework is a maturity model composed of five progressive stages of maturity that an agency can achieve in its IT investment management capabilities. Each stage specifies critical processes as well as specific key practices within each process. Stage 2 critical processes lay the foundation for sound IT investment management. We examined FDA's implementation of three critical stage 2 processes (Instituting the Investment Board, Selecting an Investment, and Providing Investment Oversight). Within each process, we looked for the existence of policies, procedures, and organizational entities that would enable effective investment management and oversight. We did not do a complete ITIM assessment or audit specific IT projects to analyze how well the policies and procedures were implemented. * Our Enterprise Architecture Maturity Framework (EAMMF) describes stages of maturity in managing enterprise architecture. Each stage includes core elements--descriptions of a practice or condition that is needed for effective enterprise architecture management. We evaluated FDA's implementation of four core elements from stage 2 (Building the Enterprise Architecture Management Foundation). We did not do a complete EAMMF assessment, and we did not audit specific IT projects to analyze how well the policies and procedures were implemented. To supplement the EAMMF criteria, we used criteria from the Federal Enterprise Architecture Practice Guide issued by OMB[Footnote 50] and compared FDA's progress on its architecture with these criteria. * Our framework for strategic human capital management lays out principles for managing human capital. We evaluated FDA's policies and procedures against this framework. To assess the agency's management of information security, we analyzed the HHS Inspector General's fiscal year 2009 FISMA report, which assessed FDA's compliance with FISMA information security provisions. We did not do an independent review of the agency's information security. In addition, we interviewed FDA officials, including the Chief Operating Officer, the Chief Information Officer (CIO), and officials from the new Office of Information Management and its five subdivisions. We also interviewed officials from the Office of Budget Presentation and Formulation, the Center for Biologics Evaluation and Research, and the Center for Drug Evaluation and Research. Further, we interviewed officials outside FDA, including a member of the Science Board study[Footnote 51] and a former FDA regulatory official to obtain additional perspectives on IT issues and proposed solutions at FDA. Finally, we obtained the perspectives of the Acting Commissioner regarding the IT issues identified in our review. We conducted this performance audit at FDA headquarters in Rockville, Maryland, from May 2008 through June 2009 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objective. [End of section] Appendix II: Comments from the Food and Drug Administration: Department Of Health & Human Services: Office Of The Secretary: Assistant Secretary for Legislation: Washington, DC 20201: May 25, 2009: Linda Kohn: Director, Health Care: U.S. Government Accountability Office: 441 G Street N.W. Washington, DC 20548: Dear Ms. Kohn: Enclosed are comments on the U.S. Government Accountability Office's (GAO) report entitled: Information Technology: FDA Needs to Establish Key Plans and Processes for Guiding Systems Modernization Efforts (GAO- 09-523). The Department appreciates the opportunity to review this report before its publication. Sincerely, Signed by: Barbara Pisaro Clark: Acting Assistant Secretary for Legislation: Attachment: [End of letter] Department Of Health & Human Services: Food and Drug Administration: Sliver Spring, MD 20993: Date: May 20, 2009; To: Acting Assistant Secretary for Legislation: From: Acting Commissioner of Food and Drugs Principal Deputy Commissioner: Subject: FDA's General Comments to GAO's Draft Report Entitled, Information Technology: FDA Needs to Establish Key Plans and Processes for Guiding Systems Modernization Efforts (GAO-09-523). FDA is providing the attached general comments to the U.S. Government Accountability Office's draft report entitled, Information Technology: FDA Needs to Establish Key Plans and Processes for Guiding Systems Modernization Efforts (GAO-09-523). FDA appreciates the opportunity to review and comment on this draft report before it is published. Signed by: Joshua M. Sharfstein, M.D. Attachment: FDA's General Comments to the U.S. Government Accountability Office's Draft Report Entitled "Information Technology: FDA Needs to Establish Key Plans and Processes for Guiding Systems Modernization Efforts" (GAO- 09-523): The Food and Drug Administration (FDA) appreciates the opportunity to review and comment on the Government Accountability Office's (GAO) draft report, Information Technology: FDA Needs to Establish Key Plans and Processes for Guiding Systems Modernization Efforts (GAO-09--523). In this draft report, GAO makes five recommendations to the FDA, including three on Enterprise Architecture (EA), one on a comprehensive information technology (IT) strategic plan, and one on IT human capital. FDA's general comments to GAO's recommendations follow: GAO Recommendation 1: Set milestones and a completion date for developing a comprehensive IT strategic plan, including results oriented goals, strategies, milestones, performance measures, and an analysis of interdependencies among projects and activities, and use this plan to guide and coordinate its modernization projects and activities. FDA Response: Under the auspices of the Bioinformatics Board (BiB), which governs FDA's enterprise information management development efforts, the agency is drafting an information management strategic plan with the following purpose: * Articulate a clear vision of the future target state of FDA's information management architecture and operating environment, which can be understood and evaluated by a broad array of internal and external audiences; * Frame a set of strategies and principles that will guide major planning and resource allocation decisions necessary to chart a path from FDA's current state to the future target state; and; * Present a first iteration of a high-level "living" implementation plan, which provides an enterprise view of how FDA's regulatory programs and support functions will improve their information management capabilities in support of the Agency's mission. Taken together, these elements will provide a strategic framework for selecting, directing, and monitoring projects. Work on framing a strategic plan began in August 2008 and has continued through 2009. Planning efforts have included a high-level analysis of our most immediate needs and priorities for FY 09/10, as well as taking a longer range view of the functionalities and capabilities FDA will need in the coming years. The most recent exercise involves an analysis of each Center's strategic goals and how they may be incorporated in an overall information management strategic plan for the Agency. Armed with this information, the BiB strategic planning group will now move forward with completing a draft of an information management strategic plan. Our goal is to complete these efforts by the end of fiscal year 2009. GAO Recommendations 2, 3, and 4: 2. Develop a documented EA program management plan that includes a detailed work breakdown of the tasks, activities, and time frames associated with developing the architecture, as well as the funding and the staff resources needed; 3. Complete the criteria for setting priorities for the segment architecture and prioritize the segments; and; 4. Accelerate the development of the segment and enterprise architecture, including "as is," "to be," and transition plans, and in the meantime, develop plans to manage the increased risk to modernization projects proceeding without an architecture to guide and constrain their development. FDA Response: FDA agrees with these recommendations. FDA has made significant progress in developing an EA program management plan since the onset of this study in May 2008 and is currently actively documenting this plan, including the breakdown of tasks, schedule, and resources from a historic and future perspective. Additionally, from an IT perspective, the Office of Information Management (OIM) instituted the IT Investment Management (ITIM) Process. ITIM creates a common set of governance activities that enables OIM to consistently evaluate, prioritize, and process requests for IT investments, products and services, and align every IT investment, regardless of size and impact, with an evaluation against the line of business, business strategy, BiB priorities, existing and "to-he"-state architecture, and FDA's ability to implement through the demand and resource management process. This process has been operational for six months and has been very successful at reducing the number of duplicative products, standardizing applications and services, leveraging economies of scale to promote enterprise licensing, and ensuring that the "to-be" state architecture and technologies are adhered to. This is a comprehensive plan that enables the FDA to understand project risks, dependencies, and inter- relationships. It also allows FDA to identify points of risk and measure the progress and performance of its projects and programs. Through this plan, the FDA is now able to manage IT investments through governance and EA and measure its progress towards the business-defined strategic goals and capabilities. With regards to the third recommendation, the FDA has five lines of business (Premarket, Postmarket, Scientific Computing/Computational Science, Product Quality, and Administrative Services) that are defined by the BIB. The FDA has mapped 26 segments to these five lines of business. In addition, by utilizing the HHS Segment Prioritization and Ranking strategy, these segments have been scored and ranked according to detailed criteria related to financial spending, performance results, segment readiness, and strategic importance. In regards to the fourth recommendation, the Department of Health and Human Services (HHS) has determined a process to define the "as-is" architecture for each Operating Division. FDA's "as-is" architecture has been modeled according to guidelines set forth by HHS. In addition, the FDA's future state architecture was developed in February of 2009 and defines the "to-be" architecture. Architectures are living, evolving documents and FDA is admittedly in the early stages of this process. The "to-be" architecture is composed of six layers (business, performance, data, technical, service component and security) that highly correspond to the Federal Segment Architecture Methodology (FSAM). Stratifying the "to-be" state architecture in this manner enables FDA to continue to develop and drive the 26 segments and ensure that the segments are consistent with the future state view. GAO Recommendation 5: Develop a skills inventory, needs assessment, and gap analysis, and develop initiatives to address skills gaps as part of a strategic approach to IT human capital planning. FDA Response: FDA agrees with this recommendation. OIM is a new organization less than a year old and requires the establishment of new processes and procedures. Senior management in each division within OIM strategically assessed workforce needs for their respective divisions to analyze and identify gaps. The Chief Information Officer is looking at these assessments and is developing hiring plans and priorities. The resultant information is being used to recruit skilled personnel both internally and externally to the FDA. Additionally, a climate survey was developed by a communications team made up of members from each division within DIM and facilitated by an external consultant. Staff participated in high numbers and the survey results will be used to generate constructive dialogue with staff during meetings. The results will also be used to further identify pertinent challenges and opportunities that OIM staff feels should be the organization's top priorities. [End of section] Appendix III: FDA's Mission-Critical Systems and Infrastructure: According to FDA's CIO, the agency defines mission-critical systems as those that support its centers and offices in accomplishing their mission. According to FDA, there are currently about 47 of these mission-critical systems.[Footnote 52] FDA's CIO stated that the number of mission-critical systems is subject to change as legacy systems are retired and modernization projects create new systems to take their place. Mission-Critical Systems: Mission-critical systems can be grouped by the key mission areas that they support: * reviewing and evaluating applications for new products, * overseeing manufacturing and production supply chains, and: * monitoring the safety of products on the market. In tables 5 to 7, we provide examples of systems that are currently in use and support a variety of internal users from each of FDA's main centers and the Office of Regulatory Affairs (ORA). Systems to Review and Evaluate Applications for New Products: Regulatory tracking systems are currently used by each center for the day-to-day business activities supporting FDA's regulatory review processes. These systems are used in the receipt and storage of externally generated applications, submissions, or other information for FDA's regulatory review processes. Table 5: Examples of FDA Regulatory Tracking Systems and Users: System: Electronic Document Room; FDA organizations that are supported by the system: Center for Biologics Evaluation and Research; Center for Drug Evaluation and Research; Center for Devices and Radiological Health; End users: Registered industry contacts and reviewers; Description of system: An integrated system that enables an electronic regulatory process between industry and three FDA centers. It stores, retrieves, and distributes electronic submissions to reviewers and interfaces with regulatory databases. It was developed to support the center's managed review process. This project supports PDUFA goals and is financed by the user fee funds authorized by the act. System: Document Archiving Retrieving and Regulatory Tracking System; FDA organizations that are supported by the system: Center for Drug Evaluation and Research; End users: Drug reviewers, regulatory project managers, and information management staff; Description of system: Designed for FDA personnel to manage the drug and therapeutics review process, perform reviews, or manage and maintain the systems supporting the review process. The system provides a data management and reporting tool that integrates a database application that supports center's core business functions. System: Food Additive Regulatory Management System; FDA organizations that are supported by the system: Center for Food Safety and Applied Nutrition; End users: Reviewers, consumer safety officers, and toxicologists; Description of system: Designed to support electronic processing, review, maintenance, and reporting for food ingredient submissions. The system includes an image-based electronic document management and workflow automation system that reduces search and processing time, expedites the ingredient review process and subsequent safety decisions, helps FDA perform associated activities such as responding to and managing Freedom of Information Act requests and general correspondence, and provides real-time reporting capability. Source: GAO summary of FDA information. [End of table] Systems to Oversee Manufacturing and Production Supply Chain: Compliance systems are used to process or assess data used by FDA when overseeing conformance to regulatory requirements of an external entity or marketed product. These systems are generally used in the inspection of an FDA-regulated product or its manufacturing facilities. Table 6: Examples of FDA's Compliance Systems and Users: System: Operational and Administrative System for Import Support; FDA organizations that are supported by the system: Office of Regulatory Affairs; End users: Import reviewers, investigators, compliance officers, ORA management, Prior Notice Center staff, and U.S. Customs and Border Protection staff; Description of system: Designed to automate the screening and review processes for FDA-regulated products offered for import into the United States. Automatic screening is based on criteria maintained by the Division of Import Operations and Policy, supports further human review of products that fail automated screening, and notifies U.S. Customs and Border Protection to take appropriate action. Based on system's results, products may be allowed into distribution, or permitted to proceed to destination under bond pending further review. System: Field Accomplishments and Compliance Tracking System; FDA organizations that are supported by the system: Office of Regulatory Affairs; End users: Inspectors; investigators; compliance officers; FDA management; Division of Planning, Evaluation and Management; laboratory staff; and consumer safety analysts; Description of system: A group of related applications that supports inspection, investigation, and compliance activities and manages performance against FDA's annual objectives. Based on center work plans, the system schedules inspections and collects and maintains data from all work performed in the field both planned and in response to emergencies. Activities managed and tracked by the system include inspections (including the results of inspections contracted through the states), investigations and sample collections (including transfer of samples and tracking laboratory results), and the processing of compliance cases and actions. This system also maintains an inventory of regulated firms and their compliance status, which determines their ability to fulfill government contracts. System: Establishment Evaluation System; FDA organizations that are supported by the system: Center for Drug Evaluation and Research; Office of Regulatory Affairs; End users: Import inspectors; Description of system: Designed to facilitate the monitoring of Current Good Manufacturing Practices through capture of manufacturing site evaluation, inspection assignment, and inspection outcome information from both the center and the office. The system also plays a role in the screening of drug imports by the office, which uses the application to help determine the acceptability of foreign manufacturers of imported drugs. Source: GAO summary of FDA information. [End of table] Systems to Monitor Safety of Products on the Market: Adverse event reporting and analysis systems are used to process and/or assess data related to adverse reactions to FDA-regulated products. An adverse event could be illness due to food, injury caused by a device, or negative reaction to a drug or vaccine. Table 7: Examples of FDA's Adverse Event Reporting Systems and Users: System: CFSAN Adverse Event Reporting System; FDA organizations that are supported by the system: Center for Food Safety and Applied Nutrition (CFSAN); End users: Reviewers, consumer safety officers, and doctors; Description of system: A management tool for voluntary adverse event and product problem reports for all center-regulated products and mandatory reports of serious adverse events on dietary supplements. Reports are filed by consumer safety officers and doctors, among others. System: Vaccine Adverse Event Reporting System; FDA organizations that are supported by the system: Center for Biologics Evaluation and Research; End users: Reviewers and scientists; Description of system: This system accepts reports of adverse events that may be associated with U.S.-licensed vaccines from health care providers, manufacturers, and the public. FDA continually monitors the system's reports for any unexpected patterns or changes in rates of adverse events. System: Adverse Event Reporting System; FDA organizations that are supported by the system: Center for Drug Evaluation and Research; Center for Biologics Evaluation and Research; End users: Safety evaluators, compliance officers, and medical officers; Description of system: Designed to be the primary computer system that supports the centers' postmarket safety surveillance program, this system helps ensure the safety of human drugs and therapeutic biologics marketed in the United States by collecting and managing adverse event reports. Source: GAO summary of FDA information. [End of table] Mission-Critical Infrastructure: FDA has defined its mission-critical infrastructure as IT equipment that must be available full time (24 hours a day, 7 days a week) in order for the agency to accomplish its mission. FDA identified the following infrastructure components as mission critical: * Network components, which consist of Internet connectivity, domain name servers, active directory, e-mail, single sign on, and the routing infrastructure. * Critical servers to run systems needed for operations that must run full time, such as the Prior Notice Center, which must be available full time for FDA to receive prior notice before food is imported into the United States. Other examples are servers to support Mission Accomplishments and Regulatory Compliance Services, Operational and Administrative System for Import Support, and Electronic Submission Gateway. * Security components, such as the firewalls that protect the network from unauthorized users. * Secure Remote Access infrastructure, which provides the ability for authorized users to securely access FDA computing resources from a non- FDA remote location. In addition to its mission-critical infrastructure, FDA provides other infrastructure services that support its mission, including telecommunications and help desk services. [End of section] Appendix IV: Studies That Identify FDA's Information Technology Limitations: Study title: Independent Verification and Validation of AERS [Adverse Event Reporting System] II Requirements Process; Date: 2006; Performing organization: Breckenridge Institute; Reason study performed: Undertaken to examine the effectiveness of the process used to develop requirements for a replacement for the agency's dysfunctional AERS I system; Main IT-related findings: FDA's management of requirements development did not follow proper IT methodology; the Office of IT had poor procedures in the areas of procurement and communication with end users. Study title: Business Process Framework: FDA Business Process Model and Process Descriptions; Date: August 2005; revised June 2006; Performing organization: IBM, for FDA; Reason study performed: Endorsed by FDA Management Council to ensure that FDA's mission-critical IT activities are driven by proper business planning procedures; Main IT-related findings: According to a survey of participants from FDA's business centers done to understand the state of FDA business processes for use in FDA's business process strategies, FDA's IT capability to support processes needed significant improvement. Study title: Improvement Needed in FDA's Postmarket Decision-making and Oversight Process, GAO-06-402; Date: March 2006; Performing organization: GAO; Reason study performed: Requested by members of the Congress to determine FDA's ability to manage postmarket drug safety issues and assess the steps FDA is taking in this area; Main IT-related findings: FDA databases cannot perform some actions needed to make postmarket drug safety decisions, and different types of data are not available to FDA. Study title: FDA Science and Mission at Risk; Date: November 2007; Performing organization: FDA Science Board; Reason study performed: Requested by FDA to assess whether the agency's science and technology can support current and future regulatory needs; to identify the broad categories of scientific and technologic capacities that FDA needs to fully support its core regulatory functions and decision making; Main IT-related findings: FDA's resources have not increased in proportion to the scientific demands on the agency, resulting in demand that far exceeds its capacity to respond. FDA cannot fulfill many of its core regulatory functions because its IT infrastructure is obsolete, unstable, and inefficient. Study title: Information Technology Applications Assessment (vol. I); Date: March 2008; Performing organization: High Performance Technologies, Inc., for FDA; Reason study performed: Contracted by FDA to identify IT applications performing premarket processes, as defined by the Business Process Framework, with potential for agencywide use; also to find which applications were redundant, to retire them; Main IT-related findings: Significant overlap exists among the IT applications assessed--opportunities exist to streamline these applications; 16 of 54 premarket applications had high enterprise potential for functionality, 25 were rated medium, and 13 were rated low. Study title: Better Data Management and More Inspections Are Needed to Strengthen FDA's Foreign Drug Inspection Program, GAO-08-970; Date: September 2008; Performing organization: GAO; Reason study performed: Requested by the Congress to investigate concerns regarding FDA's foreign drug inspection program and make recommendations; Main IT-related findings: FDA's databases do not provide an accurate count of foreign establishments subject to inspection and do provide widely divergent counts. Because FDA does not know the number of establishments subject to inspection, the percentage of those inspected also cannot be calculated with certainty. Inconsistencies in its databases such as these have prevented FDA from ensuring compliance with corrective items from inspections that highlighted serious deficiencies. Study title: Audit of the Food and Drug Administration's Security Program; Date: October 2008; Performing organization: HHS Office of Inspector General; Required by OMB to determine FDA's compliance with the Federal Reason study performed: Information Security Management Act of 2002 (FISMA) in accordance with the OMB's guidance; to determine if the FDA's security program encompasses a risk-based life cycle approach to improving information security; Main IT-related findings: Among other things, FDA did not fully implement a security program infrastructure to support its overall security program, and FDA did not conduct all required system development life cycle activities. Study title: Enterprise Information Management Strategy; Date: December 2007; Performing organization: Deloitte Consulting, LLP, for FDA; Reason study performed: Undertaken to allow FDA to better meet increased demand for information, and to make decisions more quickly and easily; Main IT-related findings: Among other things, recommendations included development of information standards at an agency level, and use of these standards within a common enterprise information model within 7 to 10 years. Source: GAO analysis. [End of table] [End of section] Appendix V: GAO Contact and Staff Acknowledgments: GAO Contact: Valerie C. Melvin, (202) 512-6304 or melvinv@gao.gov: Staff Acknowledgments: In addition to the contact person named above, key contributors to this report were Cynthia Scott, Assistant Director; Shaun Byrnes; Barbara Collier; Neil Doherty; Rebecca Eyler; Anh Le; Glenn Spiegel; Shawn Ward; and Daniel Wexler. [End of section] Footnotes: [1] The Department of Agriculture regulates meat, poultry, and some egg products. [2] OMB, Management of Federal Information Resources, Circular No. A- 130 (Washington, D.C., Nov. 28, 2000) and Planning, Budgeting, Acquisition, and Management of Capital Assets, Circular No. A-11, Part 7 (Washington, D.C., July 2003). [3] The Clinger-Cohen Act of 1996 requires the use of certain effective IT management practices related to strategic planning such as capital planning and investment management. 40 U.S.C. §§11311-11313. [4] For example, GAO, Information Technology: Foundational Steps Being Taken to Make Needed FBI Systems Modernization Management Improvements, [hyperlink, http://www.gao.gov/products/GAO-04-842] (Washington, D.C.: Sept. 10, 2004). [5] An enterprise architecture is a set of descriptive models (e.g., diagrams and tables) that define, in business terms and in technology terms, how an organization operates today, how it intends to operate in the future, and how it intends to invest in technology to transition from today's operational environment to tomorrow's. [6] Our Information Technology Investment Management Framework, Enterprise Architecture Management Maturity Framework, and framework for strategic human capital management are described later in this report. [7] Office of Inspector General, Department of Health and Human Services, Audit of the Food and Drug Administration's Security Program (October 2008). [8] "Adverse event" is the term used by FDA to refer to any untoward medical event associated with the human use of a medical product. [9] The Prescription Drug User Fee Act of 1992 (PDUFA) authorized FDA to collect fees from pharmaceutical companies to help fund the review of human drug applications. See Pub. L. No. 102-571 (Oct. 29, 1992). PDUFA has been reauthorized three times, in 1997 (PDUFA II), 2002 (PDUFA III), and most recently, in 2007 by the FDA Amendments Act of 2007, Pub. L. No. 110-85, title I (Sept. 27, 2007) (PDUFA IV). PDUFA IV expanded the list of postmarket activities for which the fees could be used to include developing and using adverse-event-data-collection systems, including IT systems. As part of its efforts to improve the automation of business processes and acquire and maintain information systems in its implementation of PDUFA IV, FDA developed the PDUFA IV IT Plan. [10] After the Acting Commissioner provided comments, Dr. Margaret Hamburg was sworn in as Commissioner of Food and Drugs. [11] FDA Science Board, FDA Science and Mission at Risk (Rockville, Md., November 2007). [12] Deloitte Consulting, Food and Drug Administration: Enterprise Information Management Strategy (Atlanta, Ga., Dec. 10, 2007). [13] GAO, Food and Drug Administration: Improvements Needed in the Foreign Drug Inspection Program, [hyperlink, http://www.gao.gov/products/GAO/HEHS-98-21] (Washington, D.C.: Mar. 17, 1998). [14] GAO, Drug Safety: Better Data Management and More Inspections Are Needed to Strengthen FDA's Foreign Drug Inspection Program, [hyperlink, http://www.gao.gov/products/GAO-08-970] (Washington, D.C.: Sept. 22, 2008); Medical Devices: FDA Faces Challenges in Conducting Inspections of Foreign Manufacturing Establishments, [hyperlink, http://www.gao.gov/products/GAO-08-780T] (Washington, D.C.: May 14, 2008); Drug Safety: Preliminary Findings Suggest Recent FDA Initiatives Have Potential, but Do Not Fully Address Weaknesses in Its Foreign Drug Inspection Program, [hyperlink, http://www.gao.gov/products/GAO-08-701T] (Washington, D.C.: Apr. 22, 2008); Medical Devices: Challenges for FDA in Conducting Manufacturer Inspections, [hyperlink, http://www.gao.gov/products/GAO-08-428T] (Washington, D.C.: Jan. 29, 2008); Drug Safety: Preliminary Findings Suggest Weaknesses in FDA's Program for Inspecting Foreign Drug Manufacturers, [hyperlink, http://www.gao.gov/products/GAO-08-224T] (Washington, D.C.: Nov. 1, 2007); Food and Drug Administration: Improvements Needed in the Foreign Drug Inspection Program, [hyperlink, http://www.gao.gov/products/GAO/HEHS-98-21] (Washington, D.C.: Mar. 17, 1998). [15] High Performance Technologies, Inc., FDA Information Technology Applications Assessment, vol. I (March 2008). [16] According to Deloitte, these should include enterprisewide information and applications, common scientific IT tools to support FDA's scientific information needs, and a common set of information management services such as data management. [17] Breckenridge Institute, Independent Verification and Validation of AERS II Requirements Process (Breckenridge, Colo., November 2006). [18] Office of Inspector General, Department of Health and Human Services, Audit of the Food and Drug Administration's Security Program (October 2008). [19] According to the Inspector General, a security program infrastructure includes an assessment of management's long-range plans, documented goals and objectives, security management personnel, and prioritization of IT needs. [20] FDA developed PDUFA III Performance Goals and Procedures in its implementation of PDUFA III, Pub. L. No. 107-188, title V (June 12, 2002). Under the PDUFA III Performance Goals and Procedures, FDA established Electronic Application and Submission Goals. According to FDA, it has continued to strengthen IT infrastructure and information management in its implementation of PDUFA IV. [21] 40 U.S.C. §§11311-11313. [22] Paperwork Reduction Act, 44 U.S.C. § 3506. [23] E-Government Act of 2002, Pub. L. 107-347, § 209 (Dec. 17, 2002). [24] See OMB, Management of Federal Information Resources, Circular A- 130 (Washington, D.C., Nov. 28, 2000) and Planning, Budgeting, Acquisition, and Management of Capital Assets, Circular A-11, Part 7 (Washington, D.C., July 2003). [25] GAO, Information Technology Investment Management: A Framework for Assessing and Improving Process Maturity (Version 1.1), [hyperlink, http://www.gao.gov/products/GAO-04-394G] (Washington, D.C.: March 2004). [26] GAO, Information Technology: A Framework for Assessing and Improving Enterprise Architecture Management (Version 1.1), [hyperlink, http://www.gao.gov/products/GAO-03-584G] (Washington, D.C.: April 2003). [27] GAO, A Model of Strategic Human Capital Management, [hyperlink, http://www.gao.gov/products/GAO-02-373SP] (Washington, D.C.: Mar. 15, 2002). [28] See FDA Has Made Mixed Progress in Key IT Management Practices, 24. [29] OMB, Management of Federal Information Resources, Circular No. A- 130 (Washington, D.C., Nov. 28, 2000) and Planning, Budgeting, Acquisition, and Management of Capital Assets, Circular No. A-11, Part 7 (Washington, D.C., July 2003). [30] These are being replaced with two new data centers intended to provide flexibility and expandability to meet FDA's ongoing and future IT needs. Additionally, ICT21 is to address limitations in the agency's ability to ensure that FDA's critical information is not lost and that IT systems continue to operate during a disaster by establishing disaster recovery capabilities. [31] For example, a shipment's risk assessment might be raised if it comes from a shipper with prior violations, has been transshipped through unusual ports, or comes from an area where there has been an event that might affect food storage, such as a tsunami. Currently, the system has been successfully piloted at one location to monitor seafood, and is being piloted at a second location to monitor seafood; FDA plans to expand PREDICT to additional types of food and all locations. [32] Because of the different scopes and purposes of the Strategic Action Plan and the PDUFA IV IT Plan, it would not be expected that each plan would cover all the identified IT limitations or improvement activities. [33] GAO, Financial Management Systems: Additional Efforts Needed to Address Key Causes of Modernization Failures, [hyperlink, http://www.gao.gov/products/GAO-06-184] (Washington, D.C.: Mar. 15, 2006). [34] [hyperlink, http://www.gao.gov/products/GAO-04-394G]. [35] See, for example, GAO, Computer-Based Patient Records: VA and DOD Efforts to Exchange Health Data Could Benefit from Improved Planning and Project Management, [hyperlink, http://www.gao.gov/products/GAO-04-687] (Washington, D.C.: June 7, 2004). [36] Reviewing the implementation of the agency's project management in specific projects was beyond the scope of this review. [37] Most recently, GAO, High-Risk Series: An Update, [hyperlink, http://www.gao.gov/products/GAO-09-271] (Washington, D.C.: January 2009). [38] [hyperlink, http://www.gao.gov/products/GAO-03-584G]. [39] See, for example, OMB, Federal Enterprise Architecture Business Reference Model, Version 2.0 (June 2003) and Management of Federal Information Resources, Circular No. A-130 (Nov. 28, 2000); Chief Information Officers Council, A Practical Guide to Federal Enterprise Architecture, Version 1.0 (February 2001). [40] In segment architecture, an organization is divided into multiple portions, called segments, that correspond to mission areas, shared business services, or shared IT services. [41] Federal CIO Council, Federal Segment Architecture Methodology (FSAM), Version 1.0 (Dec. 8, 2008). [42] For example, our prior work has shown negative cost and schedule implications for complex services acquisitions at the Department of Homeland Security that did not have adequate staff. See GAO, Department of Homeland Security: Better Planning and Assessment Needed to Improve Outcomes for Complex Service Acquisitions, GAO-08-263 (Washington, D.C.: Apr. 22, 2008). [43] GAO, Human Capital: Key Principles for Effective Strategic Workforce Planning, [hyperlink, http://www.gao.gov/products/GAO-04-39] (Washington, D.C.: Dec. 11, 2003). [44] OMB, Management of Federal Information Resources, Circular No. A- 130 (Washington, D.C., Nov. 28, 2000) and Preparation, Submission and Execution of the Budget, Circular No. A-11 (Washington, D.C., June 2008). [45] The Clinger-Cohen Act of 1996 requires the use of certain effective IT management practices related to strategic planning such as capital planning and investment management. 40 U.S.C. §§11311-11313. [46] For example, GAO, Information Technology Management: Governmentwide Strategic Planning, Performance Measurement, and Investment Management Can Be Further Improved, [hyperlink, http://www.gao.gov/products/GAO-04-49] (Washington, D.C.: Jan. 12, 2004) and Information Technology: Foundational Steps are Being Taken to Make Needed FBI Systems Modernization Management Improvements, [hyperlink, http://www.gao.gov/products/GAO-04-842] (Washington, D.C.: Sept. 10, 2004). [47] GAO, Information Technology Investment Management: A Framework for Assessing and Improving Process Maturity (Version 1.1), [hyperlink, http://www.gao.gov/products/GAO-04-394G] (Washington, D.C.: March 2004). [48] GAO, Information Technology: A Framework for Assessing and Improving Enterprise Architecture Management (Version 1.1), [hyperlink, http://www.gao.gov/products/GAO-03-584G] (Washington, D.C.: April, 2003). [49] GAO, Human Capital: Key Principles for Effective Strategic Workforce Planning, [hyperlink, http://www.gao.gov/products/GAO-04-39] (Washington, D.C.: Dec. 11. 2003). [50] OMB, Federal Enterprise Architecture Program Management Office, Value to the Mission: FEA Practice Guidance (November 2007). [51] The study was performed by the Science and Technology Subcommittee of the FDA Science Board, which was established by the FDA Commissioner in 2006 as an advisory board. The subcommittee is made up of three members of the Science Board and other experts representing industry, academia, and other government agencies. [52] As of August 7, 2008. [End of section] GAO's Mission: The Government Accountability Office, the audit, evaluation and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each weekday, GAO posts newly released reports, testimony, and correspondence on its Web site. To have GAO e-mail you a list of newly posted products every afternoon, go to [hyperlink, http://www.gao.gov] and select "E-mail Updates." Order by Phone: The price of each GAO publication reflects GAO’s actual cost of production and distribution and depends on the number of pages in the publication and whether the publication is printed in color or black and white. Pricing and ordering information is posted on GAO’s Web site, [hyperlink, http://www.gao.gov/ordering.htm]. Place orders by calling (202) 512-6000, toll free (866) 801-7077, or TDD (202) 512-2537. Orders may be paid for using American Express, Discover Card, MasterCard, Visa, check, or money order. Call for additional information. To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: E-mail: fraudnet@gao.gov: Automated answering system: (800) 424-5454 or (202) 512-7470: Congressional Relations: Ralph Dawn, Managing Director, dawnr@gao.gov: (202) 512-4400: U.S. Government Accountability Office: 441 G Street NW, Room 7125: Washington, D.C. 20548: Public Affairs: Chuck Young, Managing Director, youngc1@gao.gov: (202) 512-4800: U.S. Government Accountability Office: 441 G Street NW, Room 7149: Washington, D.C. 20548: